CVE-2026-32419

Vulnerability

Overview

The List category posts plugin for WordPress versions up to and including 0.93.1 contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker to inject arbitrary JavaScript into the DOM of a victim's browser when they interact with a crafted page.

Exploitation

Details

Exploitation requires user interaction, such as clicking a malicious link or submitting a specially crafted form [1]. The attack can be initiated by a user with low privileges, but successful execution depends on a privileged user performing the action. The vulnerability is classified as DOM-Based, meaning the payload is processed client-side rather than server-side.

Impact

A successful attack allows the attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, which execute when visitors access the affected site [1]. This can lead to defacement, data theft, or further compromise of the WordPress installation.

Mitigation

The vendor has released version 0.94.0 which resolves the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].